Cybersecurity experts from Hudson Rock have uncovered a new series of cyber attacks orchestrated by the HellCat ransomware group, targeting four companies located in the United States and Europe. The attacks share a commonality: the use of stolen Jira credentials, which were obtained through infostealer malware well before the breaches occurred.
On April 5, 2025, HellCat publicly disclosed the breaches on their leak site, featuring countdown timers aligned with their notorious slogan, “Jiraware < < 3!!” Their announcements indicated that they had pilfered sensitive internal documents, emails, and financial data, threatening to leak or sell this information unless their demands were met.
The companies affected include Asseco Poland, a prominent IT solutions provider; HighWire Press, a U.S.-based platform catering to scholarly publishers; Racami, a U.S. firm specializing in customer communications technology; and LeoVegas Group, an online gaming and betting enterprise based in Sweden.
Hudson Rock's report outlines that these breaches stem from the same primary vulnerability: Jira credentials stolen via infostealer malware such as StealC, Raccoon, Redline, and Lumma Stealer. These malware variants compromised employee machines, capturing login information months or even years before the ransomware attacks launched. With access to these credentials, HellCat infiltrated the Atlassian Jira environments of the target companies, navigating through internal networks, extracting sensitive data, and initiating their ransomware operations.
This tactic is not unfamiliar; HellCat has previously exploited similar vulnerabilities to breach other organizations, including Jaguar Land Rover, Telefonica, Schneider Electric, and Orange. Their established pattern entails discovering credentials within infostealer logs, accessing Jira, exfiltrating sensitive information, and subsequently issuing ransom demands.
A noteworthy aspect of these events is the recent report from Hudson Rock, which highlighted how infostealers—some available for as little as $10—have jeopardized critical infrastructures globally. Alarmingly, this includes systems linked to the FBI, Lockheed Martin, Honeywell, and segments of the U.S. military, emphasizing the severity of the threat posed by infostealer malware.
The attention given to Jira is due to its crucial role beyond merely serving as a project management tool. In many organizations, it serves as an integral hub for development workflows, customer information, organizational documentation, and system access control. Compromising Jira can often lead attackers to broader system access, making it a particularly enticing target for ransomware groups like HellCat. Furthermore, many enterprises fail to enforce stringent security measures on Jira accounts, inadvertently creating vulnerabilities that attackers can exploit with relative ease.
Researchers assert that the effectiveness of HellCat's methods largely stems from the capabilities of infostealer malware that infiltrates user devices to gather saved logins, session tokens, and cookies. Following this data gathering, the harvested information is either sold on dark web platforms or directly utilized by groups like HellCat. Hudson Rock's findings indicate that, among over 30 million infected devices, numerous companies store Jira-related credentials in infostealer logs. In this instance, the unsecured credentials had remained dormant, unmonitored, and unchanged, allowing HellCat ample opportunity to strategize their breach.
To mitigate such risks, organizations should employ continuous monitoring for infostealer infections and utilize tools that can detect stolen credentials before they are exploited. Any signs of malware should prompt immediate resetting of compromised logins and thorough reviews of access protocols and suspicious activities. Specifically for Jira, implementing multi-factor authentication, restricting access, and enforcing network segmentation are vital steps in limiting potential damage from attackers should they gain entry. Regular employee training is also essential to bolster defenses against phishing and other tactics that commonly lead to such infections.
Ultimately, while HellCat’s methodology is evident, the overarching problem remains the unchecked nature of stolen credentials and the continued reliance on single-layer authentication for critical tools like Jira. Without substantial improvements to security protocols, groups such as HellCat are likely to persist in their operations. The tactics employed by HellCat align with several MITRE ATT&CK techniques, suggesting pathways such as Initial Access, Credential Dumping, and Ransomware Deployment, reflecting a sophisticated understanding of exploiting entry points into unsuspecting organizations.
Source
